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f^ ^ Abstract. We show optimal Direct Sum result for the one-way entanglement-assisted quantum com- 

fSJ ■ munication complexity for any relation f <Z X xy x Z. We show: 

Q'''"'\f^) = Q{m-Q'''"'\f)), 

where Q^''"'''(/), represents the one-way entanglement-assisted quantum communication complexity of 
00 \ f with error at most 1/3 and /®™- represents m-copies of /. Similarly for the one-way public-coin 

classical communication complexity we show: 
^ '. pi.pub^^^ffim^ ^ ^^^ . R''''"''(/)), 

(-H ' where R^''"'''(/), represents the one-way public-coin classical communication complexity of / with error 

[/J I at most 1/3. We show similar optimal Direct Sum results for the Simultaneous Message Passing (SMP) 

O . quantum and classical models. For two-party two-way protocols we present optimal Privacy Trade-off 

results leading to a Weak Direct Sum result for such protocols. 



We show our Direct Sum and Privacy Trade-off results via message compression arguments. These 
^ , arguments also imply a new round elimination lemma in quantum communication, which allows us 

to extend classical lower bounds on the cell probe complexity of some data structure problems, e.g. 
Approximate Nearest Neighbor Searching (ANN) on the Hamming cube {0, 1}" and Predecessor Search 
to the quantum setting. 
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1^^^ , In a separate result we show that Newman's [New91] technique of reducing the number of public-coins 

C^ • in a classical protocol cannot be lifted to the quantum setting. We do this by defining a general notion 

QQ ' of black-box reduction of prior entanglement that subsumes Newman's technique. We prove that such a 

f^ . black-box reduction is impossible for quantum protocols by exhibiting a particular one-round quantum 

protocol for the Equality function where the black-box technique fails to reduce the amount of prior 

entanglement by more than a constant factor. 

rS I In the final result in the theme of message compression, we provide an upper bound on the problem of 

^ . Exact Remote State Preparation (ERSP). 

1 Introduction 

Communication complexity studies the communication required to solve a computational problem 
in a distributed setting. Consider a relation f(^XxyxZ. In a. two-party protocol to solve /, 
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one party say Alice would be given input x £ X, and the other party say Bob would be given 
input y G y. The goal for Alice and Bob would be to communicate and find an element z £ Z 
that satisfies the relation, i.e., to find a z such that {x,y,z) £ f. The protocols they follow could 
be deterministic, randomized or quantum leading to different notions of deterministic, randomized 
and quantum communication complexity. Please refer to Sec. 2.2 for detailed exposition to various 
models, definitions and notations related to classical and quantum communication complexity. 

1.1 Direct Sum 

Let us consider a natural question in communication complexity as follows. Suppose Alice and Bob 
wish to solve several, say k, instances of relation / simultaneously, with constant success on the 
overall output. A Direct Sum theorem states that the communication required for accomplishing 
this would be at least k time the communication required for solving single instance of /, with 
constant success. It is a natural and fundamental question in communication complexity. 

Although they seem highly plausible, it is well-known that Direct Sum results fail to hold 
for some settings of communication. For example for the Equality function (EQ„), in which Alice 
and Bob need to determine if their n-bit inputs are equal or not, its randomized private-coins 
communication complexity, denoted R(EQ„) does not satisfy the Direct Sum property. It is known 
that R(EQ^) = 0(log n) whereas for testing Equality of k = log n ^ pairs of n-bit strings R(EQ® ) = 
0(A;log A; -|- logn) = O(lognloglogn) (see, e.g., [KN97, Example 4.3, page 43]), where we might 
expect R(EQ® ) = f2{klogn) = J?(log n). Similarly, Shaltiel [Sha03] gives an example for which 
a related notion called the Strong Direct Product property fails to hold for average case (i.e., 
distributional) communication complexity. (A Strong Direct Product theorem would show that 
even with probability of success that is exponentially small in k, the cost of solving k instances of 
/, would be k times the cost of solving one instance.) 

Previous works: Notwithstanding these examples. Direct Sum results have met with some success 
in several settings of communication. It is straightforward to show that D^(/) : the deterministic 
one-way communication complexity of every relation /, satisfies the Direct Sum property. It is also 
known that for two-way protocols, for any function /, D(/®^) = f2{k • y^D(/)) (see, e.g., [KN97, 
Exercise 4.11, page 46]). For classical distributional complexity, under the uniform distribution on 
the inputs, Chakrabarti, Shi, Wirth, and Yao [CSWYOl] showed Direct Sum in the one-way and 
SMP models of communication. They introduced an important notion of information cost and ob- 
tained their Direct Sum result via a message compression argument. The notion of information cost 
has also been effectively used to obtain two-way classical and quantum communication complex- 
ity bounds for example see [BYJKS04,JRS03b]. Jain, Radhakrishnan, and Sen [JRS03a] extended 
the result of [CSWYOl], and provided a Direct Sum result for classical distributional complexity 
under any product distribution on inputs, for bounded-round two-way protocols. They [JRS03a] 
again used the information cost approach however achieved their message compression via differ- 
ent techniques (than [CSWYOl]) involving the Substate Theorem [JRS02]. Recently, Harsha, Jain, 
McAllester, and Radhakrishnan [IIJMR07] have strengthened the Direct Sum result of [JRS03a] 
by reducing to a large extent its dependence on the number of rounds. The message compression 
results in [JRS03a,HJMR07] have been used in the work of Chakrabarti and Regev [CR04] to 
show lower bounds on the Approximate Nearest Neighbor problem (ANN) in the cell probe model. 



All logarithms in this article are taken to base 2 unless otherwise specified. 



Patra§cu and Thorup [PT06b] also use Direct Sum type results to prove better lower bounds for 
this problem. 

Our results: In this paper we prove that for any relation f Q X x y x Z, the classical public- 
coin one-way communication complexity R^'P" (/) and the one-way entanglement assisted quantum 
communication complexity Q^''^"'^(/) satisfy the Direct Sum property. Similarly in the SMP model 
RII'P" (/) and Q"'''" (/) satisfy the Direct Sum property. Our precise results are as follows. 

Theorem 1 (Direct Sum). Let f(lXxyxZbea relation. Let e,5 G (0, 1/2) with e + 6 < 1/2. 
For one-round protocols we have: 



1. Rl'P-\f(Bm^ > Qi^S^m-Rl'^fif)). 

Similarly for SMP protocols (with shared resource as specified in Section 2.2), we have: 
L Rp"b^/em) > f2 (6^m • rJ;';^/)) . 



We obtain our Direct Sum results via message compression results. Our message compression 
result for classical one-way protocols is as follows: 

Result 1 (Classical one-way message compression, informal statement) Let f C A'x3^x 
Z be a relation and let ^ be a probability distribution (possibly non-product) on X x y . Let V be 
a one-way private-coins classical protocol for f (with single message from Alice to Bobj having 
bounded average error under ^. Suppose Alice's message in V has mutual information (please refer 
to Sec. 2 for definition) at most k about her input. Then there is a one-way deterministic protocol 
"P' for f having similar average error probability under n, in which Alice's message is 0{k) bits 
long. 

We show similar message compression result for one-way quantum protocols. 

Result 2 (Quantum one-way message compression, informal statement) Let f C Xxyx 
Z be a relation and let fi be a probability distribution (possibly non-product) on X x y. Let V be 
a one-way quantum protocol without prior entanglement for f having bounded average error prob- 
ability under fi. Suppose Alice's message in V has mutual information at most k about her input. 
Then there is a one-way protocol V' for f with prior entanglement having similar average error 
probability under n, where Alice's message is classical and 0{k) bits long. 

The proof of the above result uses a technical quantum information-theoretic fact called the 
Substate Theorem [JRS02]. Essentially, it says that if a quantum encoding of a classical random 
variable x ^^ ax has information at most k about x, then for most x, i^pfkj ^ o' (for Hermitian 

def 

matrices A, B, A < B is a shorthand for the statement "S — A is positive semidefinite"), where a = 
Kx[(Jx]- Similarly the classical message compression result uses the classical version of the Substate 
Theorem. The classical Substate Theorem was also used by [JRS03a] to prove their classical message 
compression results. 

Res. 2 also allows us to prove a new round elimination result for quantum communication. To 
state the round elimination lemma, we first need the following definition. 



Definition 1. Let f : X x y ^ Z be a function. The communication game f^^''^ is defined 
as follows: Alice gets k strings xi,...,Xk G X- Bob gets an integer j £ [k], a copy of strings 
xi, . . . ,Xj-i, and a string y £ y. They are supposed to communicate and determine f{xj,y). The 
communication game f^''>'^ is defined analogously with roles 0/ Alice and Bob reversed. 

Result 3 (Round elim., informal stmt.) Let f : X x y ^ Z be a function. Suppose V is 
a t-round quantum protocol for /C^)'"^ with prior entanglement having bounded worst case error. 
Suppose Alice starts the communication and the first and second messages ofV are /i and I2 qubits 
long respectively. Then there is a {t—l)-round protocol for f with prior entanglement having similar 
worst case error where Bob starts the communication and the first message is I2 • 2 ^^' > qubits 
long. The subsequent communication in V is similar to that in V . 

The classical analogue of the above result was shown by Chakrabarti and Regev [CR04], where they 
used the message compression arguments of [JRS03a,HJMR07] to arrive at their result. The above 
round elimination lemma is useful in situations where Alice's message length li is much smaller than 
Bob's message length I2. Such a situation arises in proving cell probe lower bounds for data structure 
problems like ANN in {0, 1}" and Set Predecessor. [CR04] used it crucially in proving optimal 
randomized cell probe lower bounds for ANN. Recently, Patrascu and Thorup [PT06a,PT06b] used 
the same classical technique to prove sharper lower bounds for the Set Predecessor problem. We 
remark that both these results carry over to the address-only quantum cell probe model (defined in 
[SVOl]) as a consequence of Res. 3. 

1.2 Privacy trade-offs 

Let us consider another natural question in communication complexity as follows. Let f Q X x 
y X Z he a relation. We are interested in the privacy loss of Alice and Bob that is inherent in 
computing /. Privacy in communication complexity was studied in the classical setting by Bar- 
Yehuda et al. [BCK093], and in the quantum setting by Klauck [Kla02] and Jain, Radhakrishnan, 
and Sen [JRS02]. For studying privacy issues in quantum communication, we only consider protocols 
without prior entanglement. To define the privacy loss of Alice, imagine that Alice follows the 
protocol V honestly but Bob is malicious and deviates arbitrarily from V in order to extract the 
maximum amount of information about Alice's input. The only constraint on Bob is that Alice 
should not be able to figure out at any point of time whether he is cheating or not; we call such a 
cheating strategy of Bob undetectable. Suppose fi = fix x fiy is a product probability distribution 
on X X y. Let register X denote the input qubits of Alice, and B denote all the qubits in the 
possession of Bob at the end of V. We assume the input registers of Alice and Bob are never 
modified and are never sent as messages in V. Then the privacy loss of Alice under distribution 
fi at the end of V is the maximum mutual information I{X : B) over all undetectable cheating 
strategies of Bob. The privacy loss of Bob can be defined analogously. In the quantum setting 
Bob has a big bag of undetectable cheating tricks that he can use in order to extract information 
about X. For instance, he can start the protocol V by placing a superposition of states \lJ-y) (for 

a probability distribution vr on Z, JTr) = ^^ y^iT{z)\z)) in his input register Y and running the 
rest of the protocol honestly. This trick works especially well for so-called clean protocols that 
leave the work qubits of Alice and Bob at the end of the protocol in the state |0). For example, 
consider the following exact clean protocol V computing the inner product modulo 2, x ■ y, of two 
bit strings x,y £ {0, 1}": Alice sends her input x to Bob, Bob computes x ■ y and sends back x to 



Alice keeping the bit x ■ y with himself, and finally Alice zeroes out Bob's message by XORing with 
her input x. If Bob does the above 'superposition cheating' trick for V, his final state at the end of 
V becomes ( X^vejo n^lv^^ ' v))- It is easy to see that Bob has ^ bits of information about x, if x is 
distributed uniformly in {0, 1}". Thus, the privacy loss from Alice to Bob for this protocol is at least 
^, under the uniform distribution on {0, 1}" x {0, 1}". See [CvDNT98] for more details. Thus, it is 
conceivable that Alice and Bob use an 'unclean' protocol to compute / in order to minimize their 
privacy losses. We shall be concerned with proving tradeoffs between the privacy losses of Alice and 
Bob for any quantum protocol computing /, including 'unclean' ones. Please refer to Sec. 4, Def. 6 
for precise definition of privacy loss. Note that defining the privacy loss only for quantum protocols 
without prior entanglement is without loss of generality, since we can convert a protocol with prior 
entanglement into one without prior entanglement by sending the entanglement as part of the first 
message of the protocol; this process does not affect the privacy loss since after the first message is 
sent, the qubits in the possession of Alice and Bob are exactly the same as before. 

For private-coin randomized classical protocols, a related notion called information cost, was 
defined in [CSWY01,BYJKS04] to be the mutual information I{XY : M) between the players' 
inputs and the complete message transcript M of the protocol. For quantum protocols there is no 
clear notion of a message transcript, hence we use our definition of privacy instead. Also, other than 
cryptographic reasons there is also another reason why we allow the players to use undetectable 
cheating strategies. In the above clean protocol V for the inner product function, if both Alice and 
Bob were honest the final state of "P would be |x)(8>|y,x-y), where the first state belongs to Alice and 
the second to Bob. Under the uniform distribution on x,y the privacy loss from Alice to Bob is 1, 
whereas the classical information cost is at least n. This shows that in the quantum setting, because 
of the ability of players to 'forget' information by uncomputing, it is better to allow undetectable 
cheating strategies for players in the definition of privacy loss in order to bypass examples such as 
the above. 

Our results: In this paper we relate the privacy loss incurred in computation of any relation / to 
the one-way communication complexity /. We show that in multi-round protocols with low privacy 
loss, all the messages could be replaced by a single short message. For quantum protocols, again 
using the Substate Theorem [JRS02], we prove the following result. 

Result 4 (Quantum multiple rounds compression, informal stmt.) Let f (1 X xy x Z be 

a relation and let fi be a product probability distribution on X xy. Let V be a multi-round two-way 
quantum protocol without prior entanglement for f having bounded average error probability under 
fi. Let ka, kb denote the privacy losses o/ Alice and Bob respectively under distribution /x in V . 
Then there is a one-way protocol V' for f with prior entanglement having similar average error 
probability under fi, such that the single message of V' is from Alice to Bob, it is classical and 
ka2^^^*>' bits long. Similarly statement also holds with the roles o/ Alice and Bob reversed. 

We would like to remark that Res. 2 does not follow from Res. 4. Res. 2 holds for any probability 
distribution on X xy whereas our proof of Res. 4 requires product distributions. It is open whether 
a similar multi-round compression result can be proved for non-product distributions for quantum 
protocols. 

Similarly for classical protocols we show the following result. Please refer to Sec. 4, Def. 7 for 
precise definition of privacy loss for classical protocols. 



Result 5 (Classical multiple rounds compression, informal stmt.) Let fCXxyxZbe 
a relation and let ^ he a product probability distribution on X xy . Let V be a multi-round two-way 
private-coins classical protocol for f having bounded average error probability under fi. Let ka, kb 
denote the privacy losses 0/ Alice and Bob respectively under distribution fi in V . Then there is a 
one-way deterministic protocol V for f having similar average error probability under ^, such that 
the single message of V' is from Alice to Bob and is ka2^ ''' bits long. Similarly statement also 
holds with the roles 0/ Alice and Bob reversed. 

We would like to point out that the proof of this result does not follow entirely on the lines of 
Res. 4, essentially due to the difference in the definition between the notions of privacy loss for 
classical and quantum protocols. Therefore its proof is presented separately. 

These message compression results immediately imply the following privacy trade-off results 
(similar results hold with the roles of Alice and Bob reversed.) 

Result 6 (Quantum privacy trade-ofF) Let the privacy loss 0/ Alice be ka and the privacy loss 
of Bob be kb at the end of a quantum protocol without entanglement V for computing a relation 
f CX xy X Z. Then, 

where Q1'^~*^'P"°'IJ(^) is the maximum over all product distributions fi on X x y, of the one- 
round quantum communication complexity (with AWce communicating) of f with prior entanglement 
having bounded average error under fi. 

Result 7 (Classical privacy trade-off") Let the privacy loss 0/ Alice be ka and the privacy loss 
of Bob be kb at the end of a classical private coins protocol V for computing a relation f C XxyxZ. 
Then 

where R"*^' '^^(/) is the maximum over all product distributions fi on X x y, of the one-round 
classical distributional communication complexity (with Alice communicating) of f having bounded 
average error under fi. 

Remarks: 

1. Note that Res. 6 also shows that the privacy loss for computing / is lower bounded by /?(log Q^'P"'''! 1 (/)). 
This latter result can be viewed as the privacy analogue of Kremer's result [Kre95] that the 
bounded error quantum communication complexity of / is lower bounded by the logarithm of 

its deterministic one-round communication complexity. 

2. Res. 4 and Res. 5 also allow us to show weak general Direct Sum result for quantum protocols 
and classical protocols as mentioned in Corr. 3 and Corr. 5 respectively in Sec. 4. 

3. All these results are optimal in general as evidenced by the Index function problem [ANTV02]. 
In the Index function problem, Alice is given a database x G {0, 1}" and Bob is given an index 
i G [n]. They have to communicate and determine Xj, the i-th bit of x. The one-round quantum 
communication complexity from Alice to Bob for this problem is f2{n), even for bounded average 
error under the uniform distribution and in the presence of prior entanglement. Thus, we get 
the privacy tradeoff ka'^P^^*'' = f^{n) for the Index function problem. This is optimal; consider a 
deterministic protocol where Bob sends the first h bits of his index and Alice replies by sending 
all the ^ bits of her database consistent with Bob's message. 
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4. Earlier, Jain, Radhakrishnan, and Sen [JRS02] had proved the same privacy tradeoff for the 
Index function problem specifically. Our general tradeoff above can be viewed as an extension 
of their result to all functions and relations. 

1.3 Impossibility of black-box entanglement reduction 

Let us return to the third main question we investigate in this work which appears different but is 
intimately related to the theme of message compression and we mention this connection later. 

We know that for some quantum communication problems, presence of prior entanglement helps 
in reducing the communication. For example, the technique of superdense coding [BW92] allows us 
to often reduce the communication complexity by a multiplicative factor of 2. So a natural question 
that arises is how much prior entanglement is really required by a quantum protocol? For classical 
communication, Newman [New91] has shown that O(logn) shared random bits are sufficient for 
any protocol. This is tight, as evidenced by the Equality function on {0, 1}" which requires ©(logn) 
bits with private randomness and 0(1) bits with shared randomness. One might hope to extend 
Newman's [New91] proof that a classical protocol needs only O(logn) shared random bits to the 
quantum setting. Newman's proof uses a Chernoff-based sampling argument on the shared random 
bit strings to reduce their number to 0{n). Moreover, the reduction is done in a black-box fashion 
i.e. it does not change the computation of Alice and Bob in the protocol. In the quantum setting, 
one might similarly hope to reduce the amount of entanglement of the prior entangled state \4>) 
to O(logn) and leave the unitary transforms of Alice and Bob unaffected i.e. the hope is to find a 
black-box Newman-style prior entanglement reduction technique. We show that such a black-box 
reduction is impossible. 

To state our result precisely, we need the following definitions. 

Definition 2 (Similar protocols). Two protocols V and V' with prior entanglement and out- 
putting values in Z are called similar protocols if both use the same number of qubits and the same 
unitary transformations and measurements, have the same amount of communication and for all 
{x,y) £ {0,1}" X {0,1}", \\Vix,y) -'P'{x,y)\\^ < 1/20. Here, V{x,y), V'{x,y) are the probability 
distributions on Z of the output of protocol V, V on input {x,y). V , V may use different quantum 
states as their input independent prior entanglement. 

Definition 3 (Amt. of entanglement). For a bipartite pure state \4>)ab, consider its Schmidt 
decomposition, {(p) = J2i=i V^l^^i) <25 \bi), where {oj} is an orthonormal set and so is {bi}, Aj > 

def 

and Ylii^i — 1- ^^^ amount of entanglement of \4')ab is defined to be E{\(J))ab) = — X^j AjlogAj. 
The Schmidt rank of \(J))ab is defined to be k. 

One might hope that the following conjecture is true. 

Conjecture 1. For any protocol V for / : {0, 1}" x {0, 1}" -^ Z with prior entanglement, there 
exists a similar protocol V' that starts with prior entanglement \(J))ab^ E{\(J))ab) = O(logn). 

We prove that the above conjecture is not correct for quantum communication protocols. 

Result 8 (No black-box red. of prior entang.) Let us denote the Equality function on n-bit 
strings by EQ„ . There exists a one-round quantum protocol V for EQ„ with -r- + log 72 + 0(1) EPR 
pairs of prior entanglement and communicating 4 bits, such that there is no similar protocol V' that 
starts with a prior entangled state |0)a_Bj E{\4))ab) < 71/600. 



Our proof of this result follows essentially by sharpening the geometric arguments behind the 
proof of the 'recipient-non- invasive incompressibility' result of Jain, Radhakrishnan, and Sen[JRS03a]. 
Jain, Radhakrishnan, and Sen [JRSOSa] showed that for classical constant round private-coin pro- 
tocols with a product probability distribution on their inputs, one can compress the messages to the 
information cost of the protocol. Their compression technique for classical protocols was 'recipient- 
non-invasive' in the sense that, for one round protocols, it did not change the computation of the 
recipient except up to a trivial relabeling of the messages. They however also showed that such 
a recipient-non-invasive compression result does not hold for quantum protocols; they exhibited a 
one-round quantum protocol without prior entanglement for the Equality function on n-bit strings 
with constant privacy loss, where any recipient-non-invasive compression strategy cannot compress 
Alice's message by more than a multiplicative factor of 6! We essentially convert their "incompress- 
ibility of message" result to "incompressibility of prior-entanglement" result. 

Remarks: 

1. The above Res. 8 shows that in order to reduce prior entanglement in quantum communication, 
one has to look beyond black-box arguments and change the unitary transforms of Alice and 
Bob. 

2. Recently Gavinsky [Gav08] showed that even if Alice and Bob are allowed to change their 
operations, there is an exponential increase that can occur in the required message length for 
computation of a relation in case the prior-entanglement is reduced only by a logarithmic factor. 
However Gavinsky measures shared entanglement with the number of qubits in the shared state 
between Alice and Bob, and not with the measure of entanglement as considered by us in Def. 3. 
Hence Res. 8, which first appeared in [JRS05], is incomparable to Gavinsky's result. 

1.4 Exact Remote State Preparation (ERSP) 

The final result we present in the theme of message compression concerns the communication 
complexity of the Exact Remote State Preparation (ERSP) problem. The ERSP problem is as 
follows. Let E : X ^ px he an encoding from a set X to the set of quantum states. 
Problem ERSP(^): 

1. Alice and Bob start with prior entanglement. 

2. Alice gets x ^ X. 

3. They interact at the end of which Bob should end up with px in some register. 

Remark: The adjective 'exact' signifies that we do not allow for any fidelity loss in the state that 
Bob should end up. 

We provide the following upper bound on the communication complexity of this problem. 

Theorem 2. Let E : x ^ px be an encoding where px is a pure state for all x and let a he any 
state with full rank. There is a protocol V for ERSP(-E) with expected communication bounded by 
max^{log(Tro-"Vx) + 21oglog(Trc^"Vx)}• 
1.5 Organization of the paper 

In the next section, we collect some preliminaries that will be required in the proofs of the message 
compression results. In Sec. 3, we prove our results on first round compression and round elimination 



in quantum protocols. We prove our multi-round compression result in Sec. 4. In Sec. 5, we show 
that black-box reduction of prior entanglement in quantum communication is impossible. Finally 
in Sec. 6 we provide the proof of the upper bound on the ERSP problem. 

2 Preliminaries 

2.1 Information Theory 

A quantum state is a positive semi definite trace one operator. For a quantum state p, its von- 

def 

Neumann entropy is defined as S{p) = Y^^ — Aj log Aj, where AjS represent the various eigenvalues of 
p. For an / qubit quantum system A, S{A) < I. For correlated quantum systems A, B their mutual 
information is defined as I{A : B) = S{A) + S(B) — S{AB). Given a tri-partite system A,B,C, 
mutual information satisfies the monotonicity property that is I {A : BC) > I {A : B). Let us define 

def 

I{A : B\C) = I{A : BC) — I{A : C). We have the following very useful Chain Rule for mutual 

information. 

k 

I{A:Bi... Bk) = ^ /(^ : ^d^i ■ • • ^^-i)- 
Therefore if Bi through B^ are independent systems then, 

k 

I{A:Bi...Bk)>Y,HA:B,). 

i=l 

For classical random variables the analogous definitions and facts hold mutates mutandis and 
we skip making explicit statements here for brevity. 

2.2 Communication complexity 

Quantum communication complexity: Consider a two-party quantum communication protocol 
V for computing a relation / : {0, 1}" x {0, 1}" -^ Z. The relations we consider are always total in 
the sense that for every (x, y) £ X xy, there is at least one z £ Z, such that (x, y, z) G /. In a two- 
way protocol V for computing /, Alice and Bob get inputs x £ X and y £ y respectively. They send 
messages (qubits) to each other in turns, and their intention is to determine an answer z £ Z such 
that {x,y,z) G f. We assume that V starts with the internal work qubits of Alice and Bob in the 
state |0). Both the parties use only unitary transformations for their internal computation, except 
at the very end when the final recipient of a message makes a von-Neumann measurement of some 
of her qubits to declare the output. Thus, the joint state of Alice and Bob is always pure during the 
execution of V. We also assume that the players make safe copies of their respective inputs using 
CNOT gates before commencing the protocol. These safe copies of the inputs are not affected by 
the subsequent operations of "P, and are never sent as messages. In this paper, we consider protocols 
with and without prior entanglement. By prior entanglement, we mean a pure quantum state \(j)) 
that is shared between Alice and Bob and that is independent of their input (x,y). The state \(j)) 
can be supported on an extremely large number of qubits. The unitary transforms of Alice in V are 
allowed to address her share of the qubits of \(f)); similarly for Bob. The classical analogue of prior 
entanglement is shared random bits. Often, the prior entanglement in a quantum protocol is in the 

9 



form of some number of EPR pairs, one-half of which belongs to Alice and the other half belongs 
to Bob. 

Given e G (0, 1/2), the two-way quantum communication complexity Qe(/) is defined to be the 
communication of the best two-way quantum protocol without prior entanglement, with error at 
most e on all inputs. Whenever error parameter e is not specified it is assumed to be 1/3. Given a 
distribution fion Xxy,we can similarly define the quantum distributional two-way communication 
complexity of /, denoted Qe{f), to be the communication of the best one-way quantum protocol 
without entanglement for /, such that the average error of the protocol over the inputs drawn 
from the distribution ft is at most e. We define Qe (/) = max^ product Q^(/)- The corresponding 
quantities for protocols with entanglement are denoted with the superscript pub. 

The following result due to Yao [Yao77] is a very useful fact connecting worst-case and dis- 
tributional communication complexities. It is a consequence of the MiniMax theorem in game 
theory [KN97, Thm. 3.20, page 36]. 

Lemma 1 (Yao's principle [Yao77]). Q^" (/) = max^ Q^^ ''*(/)■ 

Similar relationships as above also hold in the various other models that we mention below 
mutates mutandis. 

In the one-way protocols we consider, the single message is always assumed to be from Alice 
to Bob unless otherwise specified. Sometimes we specify the direction of the message for example 
with superscript A^ B. The complexities Qj(/),Qe'''" (/),Qe'^(/),Qe (/) could be analogously 
defined in the one-way case. 

In the Simultaneous Message Passing (SMP) model, Alice and Bob each send a message each 
to a third party called Referee. In the SMP protocols we consider, we let prior entanglement to be 
shared between Alice and Referee and Bob and Referee and public coins to be shared between Alice 
and Bob. The communication complexity in this described model is denoted by Q^ (/)• 

Classical communication complexity: Let us now consider classical communication protocols. 
We let D(/) represent the deterministic two-way communication complexity, that is the commu- 
nication of the best deterministic two-way protocol computing / correctly on all inputs. Let /x be 
a probability distribution on X x y and e G (0,1/2). We let D^(/) represent the distributional 
two-way communication complexity of / under /x with expected error e, i.e., the communication of 
the best private-coin two-way protocol for /, with distributional error (average error over the coins 
and the inputs) at most e under /j,. It is easily noted that D^(/) is always achieved by a determin- 
istic two-way protocol, and henceforth we will restrict ourselves to deterministic protocols in the 
context of distributional communication complexity. We let Re" (/) represent the public-coin ran- 
domized two-way communication complexity of / with worst case error e, i.e., the communication 
of the best public-coin randomized two-way protocol for / with error for each input (x, y) being 
at most e. The analogous quantity for private coin randomized protocols is denoted by Re(/)- The 
public- and private-coin randomized communication complexities are not much different, as shown 
in Newman's result [New91] that 

R(/) = 0(RP"^/) + loglog \X\ + log log 13^1). (1) 

We define Re (/) = max^ product D^(/). The analogous communication complexities for one- 
way protocols could be similarly defined. As before, we put superscript 1 to signify that they stand 
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for one-way protocols and superscript || to signify SMP protocols. In classical public coin SMP 
protocols that we consider, we let the public coins to be shared between Alice and Bob. 

2.3 Substate Theorem and (S, Q;)-corrector 

All our message compression arguments are based on the following common idea: If Alice does 
not reveal much information about her input, then it must be the case that Bob's state after 
receiving Alice's messages does not vary much (as Alice's input varies). In this situation, Alice and 
Bob can start in a suitable input independent state and Alice can account for the variation by 
applying appropriate local transformations on her registers. We formalize this idea using the notion 
of a (5, a)-corrector, and establish the existence of such correctors by appealing to the following 
information-theoretic result, the Substate Theorem due to Jain, Radhakrishnan, and Sen [JRS02]. 

Fact 1 (Substate Theorem, [JRS02]) Let 7i,IC be two finite dimensional Hilbert spaces and 
dim(/C) > dini(TC). Let C^ denote the two dimensional complex Hilbert space. Let p,a be density 
matrices in TC such that S{p\\a) < cx). Let |p) be a purification of p inli^K,. Then, for r > 1, 
there exist pure states \4>),\6) G 7i <i^ K, and \a) G H /C (gi C^, depending on r, such that \a) is a 
purification of a and 



p){p\-\cP)m\tr<j^'^here 






\-^\ <l^f , r ~ ^ u\|i\ 1 , 


/i- 


r-1 


' ' V r2'-'= '^^'^ V 


j.2rc 



and c = S{p\\a) +0{y'S{p\\a)) + 0{1). Note that one can, by means of a local unitary operator on 
K.'^'C?, transform any known purification \a') of a to \a) . Also, measuring the last qubit of\a) and 
observing a |1) puts the remaining qubits into the state \4>). It follows that for every purification \a') 
of a, there is an unnormalized superoperator M, depending on \ct'), acting on the qubits of\a') other 
than those of a, such that Ai(\a'){a'\) normalized is equal to \(/)). Furthermore, this superoperator 
succeeds with probability at least -^^ . 

Definition 4 (((5, a)-corrector). Let Alice and Bob form a bipartite quantum system. Let X denote 
Alice's input register, whose values range over the set X. For x £ X, let a^ be a state wherein the 
state of the register X is \x); that is, o^ has the form \x){x\i^px. Let fi be a probability distribution on 
X . Let a be some other joint state o/ Alice and Bob. A (5, a) -corrector for the ensemble {{ax}xeXi^} 
with respect to the distribution p is a family of unnormalized superoperator s {^Ax}xeX acting only 
on Alice's qubits such that: 

def 

1. rx = Tr}Ax{<^) = o for all x £ X, that is, Aix when applied to a succeeds with probability 
exactly a. 

2. ^Ax{cy) has the form \x){x\ fS> p'x, that is, the state of the register X o/ Alice is \x) when Mx 
succeeds. 

3. K^Ulax — a-^a:('^) t ] — ^' ^^'^^ ^"^' -^^ ^^ success corrects the state a by bringing it to within 
trace distance 6 from ax- 

We shall also need the following observation. 

Proposition 1. Suppose a boolean-valued measurements succeeds with probabilities p, q on quan- 
tum states p, a respectively. Let p' , a' be the respective quantum states if Ai succeeds. Then, 

11 



Proof. We formalize the intuition that if some measurement distinguishes p' and a' , then there is a 
measurement that distinguishes p and a. Assume p> q (otherwise interchange the roles of p and a). 
Now there exists (see e.g. [AKN98]) an orthogonal projection M' , such that TrM'(p'— a') = ^ '^'' . 
Let M" be the POVM element obtained by first applying POVM ^A and on success applying M' . 
Then the probability of success of M" on p is p • TrM'p', and the probability of success of M" on 
aisq- JrM'a' < p • JrM'a'. Thus, 

- Up - o-lltj. > TrM'V - TrM'V 

> p(TrMV' - JrM'a') 
= - II '- 'II 

2' \\P ^ lltr' 

implying that ||p' — 0"'||^j, < ^ • D 

We are now ready to use the Substate Theorem to show the existence of good correctors when 
Bob's state does not contain much information about Alice's input. While applying the Substate 
Theorem below, it will be helpful to think of Alice's Hilbert space as /C (8) C^ and Bob's Hilbert 
space as 7i in Fact 1. 

Lemma 2. For x & X, let \(px) = |a^)|V'a;) be a joint pure state 0/ Alice and Bob, where \x) and 
possibly some other qubits of \ipx) belong to Alice's subsystem A, and the remaining qubits of {ipx) 

def 

belong to Bob's subsystem B. Let p be a probability distribution on X; let a = 'E^\(f)x){4'x\ OLnd 

\(j)) = Sa; \/ l^{^)\4'x) ■ Let X denote the register 0/ Alice containing \x). Suppose I{X : B) = k, 
when the joint state of AB is a. Then for 6 > 0, there is a (6, a) -corrector {Aix}xex for the 
ensemble {{\4>x)}', \<P)} where a = 2~'^('^'/^ ). 

def def 

Proof. Let px = J'^ aI'Px) {'t'xl and p = TrA\<P){4'\- Note that p = K^px- Now, k = I{X : B) = 
^fiS^pxllp)- By Markov's inequality, there is a subset Good C X, Pr^[Good] > 1 — 5/4, such that 
for all X G Good, S{px\\p) < 4/c/5. We will define superoperators Aix for x £ Good and x Good 
separately, and then show that they form a {5, a)-corrector. 

Fix X G Good. Using Fact 1 with r to be chosen later, we conclude that for all x G Good, 

there is an unnormalized superoperator Aix acting on A only such that if qx = TrAix{\<P){<P\), 
-^ 4 Ma:{\^mm ^]^g^^ q^ > -I^z^ and \\ax - \4>x) {(pxlWtr < -^- Now, measure register X in dx 
and declare success if the result is x. Let a'x be the resulting normalized state when x is observed. 
Measuring X in \(j)x) results gives the value x with probability 1. Hence, by Proposition 1, 

II / II 2 

\\(^x-\<Px){(l)x\\l, < ^• 

Furthermore, since ||cra: — |i?i'x)('?^a;||ltr — "7"' *^^ probability q'x of observing x when X is measured 
in the state ax is at least 1 y=, and the overall probability of success is at least qxq'x ^ (1 — 

-4^)( ^^k/s ) = a. In order to ensure that the overall probability of success is exactly a, we do 

a further rejection step: Even on success we artificially declare failure with probability 1 ^. 

Let Aix be the unnormalized superoperator which first applies Mx, then measures the register X, 
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and on finding x accepts with probability — ^. Thus, for all x € Good, the probability of success 

Vx = Tr^Ax{\(t)){(t)\) is exactly equal to a. This completes the definition of ^Ax for x G Good. 

For X Good, Mx swaps \x) into register X from some outside ancilla initialized to |0) and 
declares success artificially with probability Vx = a. For all x G A', let o"^ = — EiJzZirii, 

Thus for all x G A', u^ contains \x) in register X and rx = a. Finally, we have 

< X] ^^i^)\Wx-\'t>x){(t)x\\\^^+ ^ Kx)-2 
xGGood a;^Good 

2 5 
V^ 4 
For r = t|, this quantity is at most 6, and we conclude that the family {Mx}xeX forms the required 
((5, a)-corrector for the ensemble {{|(;^a:)}2:gA'; ](!>)} with a = 2'^^^ ' ' . D 

2.4 Miscellaneous 

We have the following Lemma. 

Lemma 3. Let 5 > Q. Let P, Q be probability distributions with support on set X such that 
S{P\\Q) < c. Then, we get a set Good C X such that 

Pr[x G Good! > 1 - (5 and Vx G Good, -44 < 2^. (2) 

P Q{x) 

Proof. We first have the following claim: 

Claim. Let P and Q be two distributions on the set X. For any set X' C X, we have 

E P(x) loge 

Proof. We require the following facts. 

1. log-sum inequality: For non-negative integers oi, . . . , a„ and 6i, . . . , 6„, 

2. The function xlogx > — (loge)/e for all x > 0. 

From the above, we have the following sequence of inequalities. 

J2xex Qi^) 



> [ ^P(x)+ j;Q(x))log 

= (Y^ P(x) + Y. Q(x) ) log ( Y. P[x) + Y. Q w ) 

XxaX' x4X' / \x&X' x4X' / 



^ loge 



D 
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Now: 

x:P{x)>Qix) ^^ ^ a;:P(a;)<Q(x) ^^ ^ 



x:P(x)>Q{x) 

' + 1 > ^ P(x) lo^ 

x:P{x)>Q{x) 



Q{x) 
P(x) 



Q{x) 

Now we get our desired set Good immediately by using Markov's inequality. D 

We also need the following lemma. 

Lemma 4. Let XAB he a tri-partite system with X classical and A, B quantum systems. If I{X : 
A) = then I{X : AB) < 2S{B). 

Proof. We have the following Araki-Lieb [ALTO] inequality for any two systems Mi,M2: \S{Mi) — 
S{M2)\ < S{MiM2). This implies: 



Now, 



/(Ml : Ms) = S{Mi) + S{M2) - ^(MiMs) < min{25(Mi), 25(M2)}. 

I{X : AB) = I{X : A) + I{XA : B) - I{A : B) 
< I{XA : B) < 2S{B). 



3 One-way Message Compression and Optimal Direct Sum 

Although in this section are concerned with message compression in one-way protocols, we state our 
results in a general setting of compressing the first message of multi-round two-way protocols. This 
way of stating our message compression results is helpful in expressing our round-elimination results. 
We state our results and proofs here only for quantum protocols and the corresponding results for 
classical protocols can be obtained in analogous fashion. We skip making explicit statements and 
proofs for classical protocols for brevity. 

3.1 Message Compression and Round Elimination 

We begin with the following definition. 

Definition 5 {[t;li, . . . , It] protocol). In a [t;li, . . . , It] protocol, there are t rounds of commu- 
nication with Alice starting, the ith message being li qubits long. A [t;li, . . . ,lt]^ protocol is the 
same but Bob starts the communication. 

Theorem 3 (Compressing the first message). Let fCXxyxZbea function and n be 
a probability distribution on X x y. Suppose V is a [t;li,l2, . . . ,lt] quantum protocol without 
prior entanglement for f having average error less than e under fi. Let X denote the random 
variable corresponding to Alice's input and Ni denote the qubits of Alice's first message in V. 
Suppose I{X : Ni) < k. Let 6 > be a sufficiently small constant. Then, there is a [t; (3,l2 . . . , h] 
quantum protocol V' with prior entanglement for f with average error less than e + 6 under fi, where 
P = O (tt)- Also, the first message o/ Alice in V' is classical. 
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Proof. Let \(f>x) denote the state vector in V of Alice's qubits (including her input register) and her 
first message A'^i just after she sends A'^i to Bob, when she is given input x G X. Let \(p) denote 
the corresponding state vector in V when the protocol starts with Alice's input registers in the 
state X^a; v^Pi|</'a:)) where Px = Pr^[X = x]. Since I{X : Ni) < k, Leva. 2 implies that there is a 
((5/2, a)-corrector {M.x}xex for the ensemble {{\(f>x)}xex', \(f>)} where a = 2~'^(^/^ ). That is, with 
Tx = MMx\ct>){4>\) and a', ':^ MJ^^ ^^ ^^^^ ^^ ^y^ _ \^^)^^^\\\j < |. 

We now describe the protocol V. The protocol V' starts with 2^ = a^^log{2/d) copies of 
\(/)) as prior entanglement. Alice applies Mx to each copy of \(/)) and sends the index of the first 
copy on which she achieves success. Thus, her first message in V' is classical and /3 = log(l/a) + 
loglog(2/5) = 0{k/6^) bits long. Alice and Bob use that copy henceforth; the rest of 7^' is exactly as 
in v. The probability that Alice achieves success with Mx on at least one copy of \(j)) is more than 
1—2- Furthermore, the state of Alice's registers and the first message Ni on this copy is exactly 
a'^. Thus, the probability of error for the protocol V' is at most 

e + -+E^[\\a',- |0.)(0.| II J <e + - + -<e + 6. 

This completes the proof of the theorem. D 

Remark: We can eliminate prior entanglement in quantum protocols by assuming that Alice gener- 
ates the prior entangled state herself, and then sends Bob's share of the state along with her first 
message. This can make Alice's first message long, but if the information about X in Alice's first 
message together with Bob's share of prior entanglement qubits in the original protocol is small, 
then the conclusions of the theorem still hold. 

Corollary 1 (Eliminating the first round). Under the conditions of Thru. 3, ift>3 there is a 
[t — 1; 2^/2, I3 + (3,li, . . . , It] quantum protocol V with prior entanglement for f with average error 
at most € + 5 under fi. Ift = 2, we get a [1; 2^12]^ quantum protocol V with prior entanglement for 
f with average error at most e + 6 under ^. 

Proof. Suppose t > 3. Let N2, N^ denote the second and third messages of V' . Consider a (t — 1)- 
round protocol V where Bob begins the communication by sending his messages N2 for all the 2^ 
copies of |(/>). This makes Bob's first message in V to be 2^l2 qubits long. Alice replies by applying 
Mx to each copy of \(j)) and sending the index of the first copy on which she achieves success. 
She also sends her response N^ corresponding to that copy of \(j)). Thus, her first message in V is 
h + (i qubits long. Note that the operations of Bob and the applications of M.x by Alice during the 
first two messages of V are on disjoint sets of qubits, hence they commute. Thus, the global state 
vector of V after the second message is exactly the same as the global state vector of V' after the 
third message. Hence the error probability remains the same. This proves the first statement of the 
corollary. The second statement of the corollary (case t = 2) can be proved similarly. D 

Remark: The above corollary can be thought of as the quantum analogue of the 'message switching' 
lemma of [CR04]. 

Using Corr. 1, we can now prove our new round elimination result for quantum protocols. 

Theorem 4 (Round elimination lemma). Let f : X x y ^ Z he a function and k, t he 
positive integers. Suppose t > 3. Suppose V is a [t;li,l2,l3, . . . ,lt] quantum protocol with prior 
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entanglement for /C^)'^ (recall definition Def. 1) with worst case error less than e. Let 5 > be a 

sufficiently small constant. Let (5 = 0{-fjt). Then there is a [t — 1; 2^l2, ^3 + /3) • • • ) h] Quantum 
protocol with prior entanglement for f with worst case error at most e + 6. 

Proof. (Sketch) The proof follows in a standard fashion by combining the proof technique of Lem. 4 
of [Sen03] with Corr. 1. We skip making a complete proof for brevity. D 

Remark: The above round elimination lemma is quantum analogue of a classical round elimination 
result of Chakrabarti and Regev [CR04]. It allows us to extend their optimal randomized cell probe 
lower bound for Approximate Nearest Neighbor Searching in the Hamming cube {0, l}" to the 
quantum address-only cell probe model defined by Sen and Venkatesh [SVOl]. It also allows us to 
extend the sharper lower bounds for Predecessor Searching of Patrascu and Thorup [PT06a] to the 
quantum case. We skip making explicit statements and their proofs for brevity. 

3.2 One- Way Optimal Direct Sum 

We get the following implication of Thm. 3 to the Direct Sum problem for one-round quantum 
communication protocols. Recall that J®™ is the m-fold Direct Sum problem corresponding to the 
relation /. 

Theorem 5 (Direct Sum). Let f^XxyxZhea relation. Let e, (5 G (0, 1/2) with e + 5 < 1/2. 
For one-round quantum protocols with prior entanglement, we get 

Qi, A-^B, pub ^jem^ > [2 (^d'^m • Q.Yr^''''^/)) • 

Similar result also holds by switching the roles o/ Alice and Bob. For simultaneous message protocols, 
we get 

Q^'P"^(/®™) > f?f(53m-Qp"'^(/)V 



Proof. We present the proof for one-round protocols and the proof for SMP protocols follows very 
similarly. Below we assume that in the one-way protocols we consider the single message is from 
Alice to Bob, and hence we do not explicitly mention it in the superscripts. Let e,6 be as in the 
statement of the theorem and let c = Qe'''" (J©™-). For showing our result we will show that for 
all distributions X on X x y, 

^Itt'if) = 0{^). (3) 

Using Yao's principle and Eq. (3), we immediately get the desired result as follows: 



)i'Pf(/) = max Ql'^s'^'^f) = Oi-^) = 0(-^-Qi'P"^ 



Let us now turn to showing Eq. (3). Since Qe'"^^ (/®™) = c, let V he a protocol (possibly using 
entanglement) for Z®™- with communication c and error on every input being at most e. Let us 
consider a distribution /i (possibly non-product) on X x y. Our intention is to exhibit a protocol 
V for / with communication 0{j^) and distributional error at most e + 6 under fj, and this would 
imply from definition that Q^f'g '^(/) = 0(tt— ), and we would be done. 
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From V let us get a protocol V' without prior entanglement in which Alice generates both parts 
of the shared state herself and then sends Bob's part as part of her first message. Alice and Bob 
then behave identically as in "P. Now let us provide inputs to V' as follows. Let ^x be the marginal 
of ^ on X. Recall that Alice has m parts of the inputs in V' . Let the input of Alice be distributed 
according to ^x in each part independently, and let Bob get input in every part. Let X be the 
random variable representing the combined input of Alice. Let Xj, i G [m] be the random variable 
representing the input of Alice on the i-th co-ordinate. Note that Xj,i G [rn\ are all independent. 
Let M represent the message of Alice. Now using Lem. 4 (irrespective of the number of qubits of 
prior entanglement in V) we have 2c > I{X : M). Now from Chain Rule of mutual information we 
get: 



m 

1c > I{X:M) = ^I{Xi:M). 

i=l 

Therefore there exists a co-ordinate io £ [^ such that I{Xig : M) < — . Now let us define a 
protocol V" for /, in which on getting input x G X,y € y respectively (sampled jointly according 
to n), Alice and Bob simulate V' by assuming x and y to be inputs for the io-th. co-ordinate. For 
the rest of the co-ordinates Alice generates the inputs independently according to the distribution 
Hx- Bob simply inserts as inputs in the rest of the co-ordinates. Alice then acts identically as in 
V and sends her message M" to be Bob, who then outputs his decision as in V. Note that in this 
case too I{X" : M") < — , where X'-' represents the input of Alice in the io-th co-ordinate. Also 
note that since the error of V on every input was at most e, we have that the distributional error 
under jj, in V" is also at most e. 

We are now ready to define our intended protocol V. Protocol V is obtained by compressing the 
message of Alice in protocol V" as according to Thm. 3 (by assuming t = 1). Hence the message of 
Alice in V has length 0(— ^) and the distributional error of V under fi is at most e + 5. D 

4 Multi-Round Message Compression and Weak Direct Sum 

4.1 Quantum Protocols 

In this section, we state and formally prove our results for compressing messages in multi-round 
quantum communication protocols for computing a relation fCXxyxZ. In our discussion 
below, A,X,B,Y denote Alice's work qubits, Alice's input qubits, Bob's work qubits and Bob's 
input qubits respectively, at a particular point in time. 

Definition 6 (Privacy loss). Let fi = ^x ^ l^y be a product probability distribution on X x y. 
Suppose V is a quantum protocol for a relation f <^ X x y x Z. Consider runs of V when Alice's 
input register X starts in the mixed state "^^ex l^x(-^)\-^)i-^\ '^'^^ Bob's input register Y starts in 
the pure state Yly^y yi^y(y)\y)- ^^^ ^ denote the qubits in the possession of Bob including Y, at 
some point during the execution ofV. Let I{X : B) denote the mutual information o/ Alice's input 
register X with Bob 's qubits B. The privacy loss ofV for relation f on the distribution /i from Alice 
to Bob at that point in time is L^{f,fi,A,B) = I{X : B). The privacy loss from Bob to Alice, 
L'^{f,lj,,B,A), is defined similarly. The privacy loss ofV from Alice to Bob for f, L'^{f,A,B), is 
the maximum over all product distributions ji of L^{f, i2,A,B). The privacy loss ofV from Bob to 
Alice for f , L^{f, B, A), is defined similarly. The privacy loss from Alice to Bob for f, L{f, A, B), is 
the infimum over all protocols V of L^{f,A,B) at the end ofV. The quantity L{f,B,A) is defined 
similarly. 
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Theorem 6 (Compressing many rounds). Suppose V is a [t;li,l2, ■ ■ ■ ,lt\ quantum protocol 

def 

without prior entanglement for a relation f C X xy x Z. Let /i = fix x fiy be a product probability 
distribution on X xy. Suppose the average error of V when the inputs are chosen according to fi 
is at most e. Let ka, kf, denote the privacy losses of Alice and Bob respectively after t' rounds of 
communication. Suppose t' is odd (similar statements hold for even t, as well as for interchanging 
the roles 0/ Alice and Bobj. Then, for all sufficiently small constants 5 > 0, there exists a[t — t' + 
1; Ai, A2, If +2, ■ ■ ■ ,h] protocol V' in the presence of prior entanglement such that: 

1. the average error ofV' with respect to /i is at most e + 6; 

2. Xi<ka- 2^('=''/^') and A2 < k'+i + 0{h/6^). 

Proof. Consider the situation after t' rounds of V. Let the joint state of Alice and Bob be denoted 
by 

Uxy'- when Alice starts V with x in her input register and Bob starts with y in his input register; 



Gx'- when Alice starts with x in her input register and Bob starts with the superposition Ylyi^y \/Hy(y)\y) 
in his input register; 

ay-, when Bob starts with y in his input register and Alice starts with the superposition "^^ex \//"A'(a;)|x) 
in her input register; 

a: when Alice and Bob start with the superposition '^(xy)(^xxy \//u(a;y)|a;)|y) in their input reg- 
isters. 

Note that axy, ctx, ay and a are pure states. 

We overload the symbols X,y to also denote the superoperators corresponding to measuring in 
the computational basis the input registers X, Y of Alice and Bob respectively. Whether X, y denote 
sets or superoperators will be clear from the context. When several superoperators are applied to a 
state in succession we omit the parenthesis; for example, we write Xy{p) instead of X{y{p)) which 
corresponds to measuring the input registers of Alice and Bob (in this case, their order does not 
matter) . 

We will choose 6a, Sb > later. Since the privacy loss of Alice is at most ka, Lem. 2 implies 
that there is a ((5a, a)-corrector {^Ax}xex for {{o'x}xex',a} with a = 2^^^^"' <^> . Similarly, since 
the privacy loss of Bob is at most kh, there is a ((5b,/3)-corrector {M.y}yey foi' {Wy]y&y'i'^} with 
j3 = 2'0^^b/&'i), In particular, with Mx =^ ^^,AMx] and My =^ ^^,y[My\, we have 



Mxi^r) 
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■Xia] 



tr 



<Sa, 



(4) 



< 



In our proof, we will take 



def 



6a 



def 6b(3 



(5) 



The proof has two steps. In the first step, we analyze the protocol V' given in Figure 1. In V' , 
Alice and Bob try to recreate the effect of the first t' rounds of the original protocol, but without 
sending any messages. For this, they start from the state a (their prior entanglement) and on 
receiving x and y, apply suitable correcting transformations. In the second step, we shall consider 
a protocol V" that starts with several parallel executions of V' . 
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Alice and Bob start with the joint state a as prior entanglement. 

Input: Alice is given x £ X; Bob is given y £Y. 
Alice: Applies superoperator Mx to her registers. 
Bob: Applies superoperator A^j, to his registers. 



Fig. 1. The intermediate protocol V' 



Let r. 



xy 



= JrMyMx{o-) and let r = E^ 



[rxy]- Then, r^y is the probabihty that both Alice and 



Bob succeed on input {x,y), and r is the probabihty that they succeed when their input is chosen 
according to the distribution /i. Let p denote the state after t' rounds of V when the inputs are 

chosen according to fi i.e. p = Kfj_[axy]. Observe that p = yX{a). Let p' be the state at the end 
of V' , when the inputs are chosen according to /i and we condition on both parties succeeding i.e. 



P 



MyMxJo') 



Claim, (a) 1 - ^ < ^ < 1 + f . 


(b) \\p-p'\\,^<25t. 


(c) Pr^ 


r r., ^ > 2<5;/2i 


< c 



Proof, (a) 



aj3 



af3 
-Tr [My 



a 



^TrMyXia) + ^TrMy (^^^^ 
p p \ a 



Xia, 



The first term on the right is 1 since ^Ay and X commute as they act on disjoint sets of qubits. 
For the second term, we have using (4), (5) and the fact that an unnormahzed superoperator 
cannot increase the trace norm, that 



(5 \ a ^ ' 



- I3~ 2- 
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(b) Using (4), (5), the fact that a measurement or an unnormahzed superoperator cannot increase 
the trace norm, and that My and X commute as they act on disjoint sets of qubits, we get 



p-p'L\\^yicT)-p'\L< 



X 



My{a) 



< 



< 



< 
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My 
1 



/3 
Xia) 
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tr 



X yia) 



Mxicr) 
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-My 

p a 

p a 

r MyMx{(^) 
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tr 



P 



aj3 
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My {a 
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My X{a 
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Mx{o- 
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tr 



+ 



tr 



<26b. 



(c) Let r describe the joint state of the input registers when the combined state of Alice and Bob 
is p; similarly, let r' be the state of their input registers when the combined state is p'; thus, 

T = ^Pa;j/k)(a;| (S)\y){y\ 

xy 

t' = ^Pxy-^\x){x\ (g) \y){y\. 



and 



xy 



Using part (b), we have 



2_^Pxy 



xy 



'_xy_ 

r 



t-t'II < \\p-p'\l <25h. 



Itr 



tr 



Thus, E^ [|^ - l|] < 2Sh, and by Markov's inequality, Pr^ 



pa-l > 25, 



1/2 



<<5, 



1/2 
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We can now move to the second step of our proof of Thm. 6. Figure 2 presents a protocol V" 
with t — t' + l rounds of communication where the initial actions of Alice and Bob are derived from 
the protocol V' analyzed above. 

Claim, (a) The number of bits sent by Alice in the first round is at most ka2^ ''' >; the number 

of bits sent by Bob is at most 0{kb/6^). 
(b) If the inputs are chosen according to the distribution p, the protocol V" computes / correctly 

with probability of error at most e + 5. 

Proof. RecaU that 4 = {6/lOf, (3 = 2-^'^'"'/^b) and 5a = 5bl3/2 and a = 2-C'(fca/<52). By part (a) of 
Claim 4.1 it follows that r > a/3/2. The number of bits needed by Alice to encode her set S is at 
most 
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Alice and Bob start with K = ^(log|) copies of a as prior entanglement. We refer to these 
copies as a^ , . . . , a^ . 

Input: Alice gets x £ X and Bob gets y £Y. 

Alice: Applies Ala; to each a'. Let S — {i : Mx succeeded on a'}. If S has less than 2aK 

elements, Alice aborts the protocol; otherwise, she sends 5 C 5 to Bob, |5| = 2aK. 
Bob: Applies A4y to each at for i £ S and sends Alice the index i* where he (and hence both) 

succeeded. If there is is no such i* he aborts the protocol. 

Alice and Bob now revert to protocol V after round t' , and operate on the registers corresponding 

tocr". 



Fig. 2. The final protocol V" 



The number of bits sent by Bob is at most log 2aK = O f t^ J . This justifies part (a) of our claim. 
For part (b), we will use Claim 4.1 to bound the probability of error V" . Call a pair (x, y) G Xxy 
good if 1^ — 1| < 2(5{j ; let x denote the indicator random variable for the event "(x,|/) is good." 
Let x' be the indicator random variable for the event "Alice and Bob do not abort protocol "P"." 
Note that if Alice and Bob do not abort protocol V" , they enter round t' + 1 of protocol V with 

their registers in the state a'^y = — "^^ ^ . Thus under distribution fi, the average probability of 
error of V" differs from the average probability of error e of the original protocol V by at most 



E 



M 



xx'h'x 



cr^. 



■xy -^xyw^j. 

The first term in the above sum can be bounded as follows 

1 



+ Pt[x = 0] + Pr[x = 1 and x' = 0]- 
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MYMxi<j)-Xy{a] 
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E„ 



XX 



'_xy_ 
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WMxMyia) 



< xy 



< 26b + 2(5, 



1/2 



(6) 



For the second last inequality, we used the fact that in the states a' and axy, the input registers 
of Alice and Bob contain x and y. For the last inequality, we used part (b) of Claim 4.1 and the 

1/2 

definition of good (x, y). The second term of (6) is at most df^ by part (c) of Claim 4.1. It remains 
to bound the last term of (6), which corresponds to the probability that Alice or Bob abort the 
protocol for some good (x,y). 
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Alice aborts: The probability of success of Mx for any one copy of a is exactly a. Thus, the 
expected number of successes is aK, and by Chernoff's bound (see e.g. [ASOO, Appendix A]), 
the probability that there are less than 2aK successes is at most (|) < 5^^. 

Bob aborts: Bob aborts when the two parties do not simultaneously succeed in any of the K 

1/2 

attempts, even though their probability of success was at least Vxy > (1 — 2(5^ )r > r/2 
(recall that we are now considering a good pair {x,y)). The probability of this is at most 
(l-i)^<exp(-f)<<5^ 

Thus overall, the average probability of error of V" is at most 

e + 24 + 25j/^ + 6l^^ + 5^^ + 6^<€ + S. 

D 
This completes the proof of Thm. 6. D 

The following corollaries result from the above theorem. 

Corollary 2 (Privacy tradeoflf). For any relation f C ^ xy x Z, L(/, A, S)2'^(^(-^''^'^)) > 
Qi,A-.B,pub,[](^)_ Similarly, L{f,B,A)20WfA,B)) > Qi,B-.A,pub,[](^)_ 

Remark: It was shown by Kremer [Kre95] that Q{f) > f2(logD^{f)), where D^{f) is the one-round 
deterministic communication complexity of /. The above corollary can be viewed as the privacy 
analogue of that result. It is optimal as evidenced by the Index function problem and the Pointer 
Chasing problem, both of which have communication complexity O(logn) [JRS02]. 

Corollary 3 (Weak Direct Sum). For any relation f C X x y x Z, 

Qpub,[]^^em) > m-J7(logQ^'P"'^'[ !(/)). 

Remark: Jain, Radhakrishnan, and Sen [JRS03a,HJMR07] proved Direct Sum results for classical 
multi-round protocols. Their results were stronger because it avoided the logarithm. However, if we 
want a Direct Sum result independent of the number of rounds, the above is the best possible as 
evidenced by the Index function problem and the Pointer Chasing problem [JRS02]. 

4.2 Classical Protocols 

Let "P be a classical private-coins two-way protocol for a relation f C X x y x Z. Let nxjfJ'Y be 

def 

probability distributions on X,y, and let fi = fix x fiy denote a product distribution on X x y. 
Consider a run of V, in which the inputs of Alice and Bob, are drawn according to distribution //. 
Let X and Y denote the random variables corresponding to the input of Alice and Bob respectively. 
Let M denote the complete transcript of the messages sent by Alice and Bob during the protocol. 
Let I{X : M) denote the mutual information between random variables X and M at the end of 
this run of V. 

Definition 7 (Privacy loss). The privacy loss of V for relation f on the product distribution n 
from Alice to Bob is defined as L/ {f, ii,A,B) = I{X : M). The privacy loss from Bob to Alice, is 
defined similarly as L^{f,fi,B,A) = I{Y : M). 
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Theorem 7. Let fCXxyxZbea relation and let e £ (0, 1/2). Let n be a product distribution 
on X X y. Let V be a private-coins protocol for f with distributional error at most e under fi. Let 
us assume without loss of generality that Alice sends the first message and Bob computes the final 
answer. Let L^{f,fi,A,B) < ka and L^{f,^,B,A) < kb- Let 5 > be such that e + 5 G (0,1/2). 
Then there exists a one-round public-coin protocol (and hence also a deterministic protocol) V with 
single communication from Alice, such that, 



1. Communication from Alice inV is O { —^^ ■ {ka + 1) • 2^^^^'^^^''^ > j . 

2. The distributional error ofV under fi is at most e + 5. 



Proof. Let the marginals of fi on X,y be ^xx-ilJ-Y respectively. Therefore ^ = ^x (^ A*y- Let the 
distribution of M (the combined message transcript in "P), when X = x and y = y, be Px,y Let 

Px = Ej^<„^y [P^i.j/], Py = "^x^nxl^x^y] and P = '&(^x,y)'^n[Px,y]- Let there be k messages in protocol 
V. Let Mi,M2, . . . Myfc denote the random variables corresponding to the first, second and so on 
till the /c-th message of the protocol V. Let S be the set of all message strings s. For s G S, let 
si,S2, ■ ■ ■ ,Sk denote the parts corresponding to Mi, M2, . . . M^ respectively. For i G [k], let p^'y{s, i) 
denote the probability with which Sj appears in Px^y conditioned on the first i — 1 messages as being 
si,S2, ■ ■ ■ Si-1. Similarly we define p^{s, i), p^{s, i) and p(s, i) corresponding to distributions Px^ Py 
and P. Let p^'y{s) denote the probability with which message s appears in Px,y Similarly let us 
define p^{s), p^{s) and p{s) corresponding to distributions Px, Py and P. Now we have the following 
claim. 

Claim. For all x£X,y£y,s£S, 

p^{s)-py{s) = p{s)-p^'y{s). 

Proof. Note that since "P is a private coins protocol and Bob sends even numbered messages, we 
have for all even i,\/x £ X,\/s G S,p^{s,i) = p{s,i). Therefore Vx G A", Vs G S, 



P'^is) _ ULiP''(.s,i) _ Ui:oddP''is^i) 



^(^) ULiPis,i) Ui:oddPis,i) ' 

Similarly we have for all odd i, Vy G 3^, Vs G S',p^(s,i) = p{s,i) and hence, 

P^^ILe^en^i^ 



(7) 



(8) 



We can note further that for Vx G X,\/y £ 3^,Vs G S; for all odd i,p^'y{s,i) = p^{s,i) and for all 
even i,p^'y{s,i) =p'y{s,i). Therefore, 

k 

p-^y{s) = \{p^^y{s,i) = n p"(s,i) • n p'{s,i). (9) 

j=l j:odd j:even 

Our claim now follows by combining Eq. (7), Eq. (8) and Eq. (9). D 

Let (5 = g. Since ka > L{M : X) = lKx<^i_ij([S{Px\\P)], using Markov's inequality we get a set 
Goodx ^ X such that 

Pr[x G Goodx] > 1 - (5 and Vx G Goodx, 5(P^||P) < %. (10) 

fix 
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Let X e Goodx. Since !f > S{P^\\P) = Es^p, 
such that 



1 P (s) 

log ^^-tV 

6 p(s) 



Pr[s G Good^l > 1 - (5 and Vs G Good^, ^^ < 2^ 



, using Lem. 3, we get a set Good^ C S 

(11) 



Similarly there exists a set Goody C 3^ such that 



Prfy G Goody] > 1 - 5 and Vy G Goody, 5(P„ IIP) < -^. 

Mi- 



Similarly for y G Goody, there exists a set Good^ C S such that 



Pr[s G Good^l > 1-5 and Vs G Good^ 



py{s) 

p{s) 



< 2" 



(12) 



(13) 



Let us now present an intermediate protocol V' in Fig. 3 from which we will finally obtain our 
desired protocol V. 



Alice and Bob, using shared prior randomness, generate an array of strings (each string belonging 
to the set S) with infinite columns and K = ( ^^ • In j J • 2^ ''^ '' rows. Each string in 
the array is sampled independently according to the distribution P. Let the random variables 
representing various strings be S''-',i £ [K],j £N (N is the set of natural numbers). 

Input: Alice gets x £ X and Bob gets y G F. 
Alice: She sets i = l,j — 1. 

1. In case x ^ Goodx, she aborts the protocol and sends a special abort message to Bob 
(using constant number of bits). Otherwise she moves to step 2. 

2. She considers string S*'-'. In case 5"'-' G Goodj,, she accepts S"'-' with probability 

\.,^'2 ■ (qtJ)- In case S^'-' ^ Goodo,, she accepts S"'^ with probability 0. 

3. In case she accepts S^'-' , she communicates j to Bob using a prefix free binary encoding. 
li i = K, she stops, otherwise she sets i = i + l,j — 1 and goes to step 2. In case she 
rejects S*'-', she sets j ~ j + 1 and moves to step 2. 

Let the various index communicated to Bob be denoted Ji,i £ [K]. 
Bob: He sets I = 1. li he gets abort message from Alice, he aborts the protocol, otherwise he 
goes to step 1. 

1. If y ^ Goody, he aborts the protocol. Otherwise he goes to step 2. 

2. He considers the string S^'''' , where J; is as obtained from Alice. If S^''^' G Goody, ho 



1 py{s'-^i) 



If 5"' 



Goody, he accepts 5' 



accepts S'''^' with probability 
with probability 0. 

3. In case he accepts S''''' , he considers it to be the the final message transcript M of 
protocol P and simulates P from now on to output z G .Z. In case he rejects S^'''' , if 
I = K he aborts the protocol, otherwise he sets 1 = 1 + 1 and goes to step 2. 



Fig. 3. The intermediate protocol P' 

Protocol V' is clearly one-way protocol. Now let us now analyze the expected communication 
from Alice to Bob in V' and expected error of V' . 



24 



Expected communication of V': When x ^ Goodx, there is constant communication. Let 
X G Goodx, and fix i G [K]. Then the probability that Jj = j given that the previous samples were 
rejected in the row i, is: 

y Ft{S^'^ = s) ■ Pr(s is accepted) 



ses 



y ^ Pr(S'*'-' = s) • Pr(s is accepted) + y^ Fi{S^'^ = s) ■ Pr(s is accepted) 



seGooda; S^Gooda; 

Y^ Pr(5*'^' = s) • Pr(s is accepted) + 

sGGoodj; 

1 P^(S) 1 T^ / ^ J X 1 



The last inequality follows from Eq. (11). Therefore expected value of Jj is — ^^^^^ — . Therefore, from 
concavity of the log function it follows that the expected communication from Alice to communicate 

Ji to Bob (using a prefix free binary encoding) is 0(log — y:^^ — ). This is true for every i G \K\. 

Therefore for x G Good^, expected communication from Alice is O I —g^ • [ka + 1) • 2 '-' ''^^'' ' 1 . 

Therefore overall expected communication from Alice is O I —^ • (ka + 1) • '£~'^^'^^^^il° > j . 

Expected error oiV': Alice aborts the protocol when x ^ Goodx, which happens with probability 
at most 6. Assume that Alice does not abort. Bob aborts the protocol when y ^ Goody, which 
happens with probability at most 5. When y G Goody, using a similar calculation as above we can 
conclude that Bob accepts the l-th sample (for any / G [K]), given that he has rejected the samples 
before is at least -tt^^Atti- Therefore, 

1-S \^ . ., 1 



Pr(Bob rejects ah K samples) < (^1 - ^^,^^,ys2 j < exp(-K • ^(^^^jy^) = S. 

Therefore, when {x,y) G Goodx x Goody, 

Pr(Bob aborts given input of V' is (x,y)) < 5. 

We have the following claim. 

Claim. Let (x, y) G Goodx x Goody and Bob does not abort. Then, 

1. If s G Good^ n Goody then Pr(Bob sets M = s) = p,(,gGood!nGood,) - 

2. If s ^ Goodj: n Goodj^ then Pr(Bob sets M = s) = 0. 

We defer the proof of this claim to later. Let us now analyze the expected error of the protocol V' 
assuming Claim 4.2 to be true. Let e^ y stand for error of V' when input is (x, y). From above claim, 
if {x, y) G Goodx x Goody and Bob does not abort, then the ii distance between the distribution 
of M in V' and P^^y is 2(1 — Pr(s G Good^ n Goodj^)) < 26. Therefore if {x,y) G Goodx x Goody 
and Bob does not abort, then e^ „ < e^.j/ + S, where €x,y is the error of V on input (x, y). Therefore, 
for {x,y) G Goodx x Goody, 

Pr('P' errs on input {x, y) given Bob does not abort) < ex^y + 5. 
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This implies: 



IE(x,y)e Goodxx Goody [Pr(T'' errs on input {x,y) given Bob does not abort)] 

^ ^I^(x,j/)e GoodxX Goody [£a;,j/J + 



< 



1 



< 



Pr((a;,y) G Goodx x Goody 

1^ + ^ 



-^ix,y)£Xxy[(^x,y] +^ 



Expected error of V' 

< Pr(x ^ Goodx) +Pr(y ^ Goody) + Pr((2;,y) G Goodx x Goody) • Ea;gGoodx,j/GGoody [4j 
<6 + 6 

+ Pr((a:,y) G Goodx x Goody) • (E^gGoodx,j/eGoody [Pr(Bob aborts given input oi V' is (x,y))] 
+ IEa;gGoodx,j/GGoody [Pr('P' errs given x £ Goodx,y G Goody and Bob does not abort)]) 

e 



< 2(5 + 5 + (Pr((x, y) G Goodx x Goody) 
<46 + e. 



Pr((x,i/) G Goodx X Goody^ 



+ S 



We are now finally ready to describe the protocol V. 
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Let c be the expected communication from Alice to Bob in protocol V' ■ 

Input: Alice gets x a X and Bob gets y £Y . 

Alice: She simulates protocol V' ■ If for some choice of the public coins the bits needed to 

communicate all Ji,i £ [K] exceeds c/S, she aborts the protocol and sends a special abort 

message to Bob in constant bits. 
Bob: In case he does not get abort message from Alice, he proceeds as in protocol V' ■ 



Fig. 4. The final protocol V 



Now it is clear that the communication of V is as claimed. Also it is easily noted that the 
expected error of V is at most expected error of V' plus 5 which is e + 5(5 = e + 5 as claimed (since 
5 = 1). 
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Proof of Claim 4.2: Let / G [K]. Then conditioned on Bob rejecting first I — 1 samples, for 
s G Goodj: n Goodj^, 

Pr(Bob's outputs S^'-^' and S^'^' = s) 
= Fr{S^'ii = s) ■ Pr(Alice accepts S^'^') ■ Pr(Bob accepts 5''^0 



p{s 






2(fca + fc6 + 2)/<52 • 

Tlierefore conditioned on Bob rejecting first I — 1 samples, 

Pr(Bob's outputs S^'^') = ^Pr(Bob's outputs S^'^' and S^'^' = s) 

ses 

Y^ Pr(Bob's outputs 5''^' and 5^'^' = s) 

sGGoodajnGoody 

= 2ika+k,+2)/s^ ■ P^(" ^ G°°^- ^ Good,). 
Tlierefore, conditioned on Bob rejecting first / — 1 samples, for s £ Goodj: n Good,, 

Pr(Bob's outputs S^'^' and S"''^' = s) 



Pr(Bob's outputs s given Bob outputs S '^'] 



Pr (Bob's outputs S^'^'] 



Pr(s G Goodj: n Goodj^) 



Clearly for s ^ Goodie n Goody,Pr(Bob's outputs s given Bob outputs S'''-'') = 0. Our claim now 
immediately follows. D 

As before we get the following corollaries from the above theorem. 

Corollary 4 (Privacy tradeoff). For any relation f : X xy ^ Z, L{f,A,B)2'^^^'^f'^'^'^'> > 
Ri,A^B,[](j)_ Similarly, L{f,B,A)20(Lif,AB)) > r1,b-a,[](^)_ 

Corollary 5 (Weak Direct Sum). For any relation f : X x y ^ Z, 

R[1(/®'") > m-r?(logRi'[ !(/)). 

5 Entanglement Reduction 

We will need the following geometric result. It is similar to a result proved earlier in [JRSOSa]. 

Lemma 5. Suppose M, N are positive integers with M = ©(A^^'^ log A^). Let the underlying 
Hilbert space be C^^. There exist 16N subspaces Vij < C^, l<i<N,l<j< 16, each of 

dimension j^, such that if we define Uij to be the orthogonal projection onto Vij and pij = -^ • Flij, 
then 

1. yiJJr^nijPij) = 1. 

2. yi,j,i',j', i + i', Jr{nijPi,j>) < 1/4. 
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3. yi,j,j',j^j',Mn,,p,j.) = o. 

4- Vi, Im = ^7=1 n^ij, where Im is the identity operator on C^ . 

5. For all subspaces W of dimension at most N^'^, for all families of density matrices {cjjjjgrTvi.Kjxie; 
aij supported in W, 

\{i : 3i, 1 < J < 16, Tr(i7,,c7,,) > 9/16} | < N/A. 

Proof. (Sketch) The proof follows by combining the proofs of Thm. 5 and Lem. 7 of [JRS03a]. We 
skip a full proof for brevity. D 

We shall also need the following easy proposition. 

def 

Proposition 2. Let |0)a_b be a bipartite pure quantum state. Define e = E{\cl))). Then there is a bi- 
partite pure quantum state \(I)')ab having Schmidt rank at most 2^^^^^ such that |||0)(0| — |0')(0'|||ti. < 
1/20. 



Proof. Let \(P)ab = J2i \'^i\'^i) A\bi) B be the Schmidt decomposition of \(p), Aj > 0, J2i -^i = 1- ^^' 
fine a set Good = {i : Xi > 2^^°'^^}. Since e = — J2i ^i log-^i) by Markov's inequality ^jgCooj Aj > 
99/100. Define the bipartite pure state \(J)')ab = XlieGood V^|aj)A|^i)B normalized. The Schmidt 
rank of \(f>')AB is at most 2^00e ^^^^ |||0)(0| - |(/'') (</>'! Iltr < 1/20. □ 

We are now ready to prove our impossibility result about black-box reduction of prior entan- 
glement. 

Theorem 8 (No black-box red. of prior entan.). Let EQ„ denote the Equality function on 
n-bit strings. There exists a one-round quantum protocol V for EQ^ with ^ + logn + 0(1) EPR 
pairs of prior entanglement and communicating 4 bits such that, there is no similar protocol V' that 
starts with a prior entangled state {(p), -E(|0)) < q^q. 

Proof We use the notation of Lem. 5 with M = 2™ and iV =^ 2". Let < i < 2" - 1 i.e. 
i G {0, 1}". Choose m = -|^ + logn + 0(1). Let "P be a one-round protocol with m EPR pairs of 
prior entanglement. In V, on input i Alice measures her EPR halves according to the von-Neumann 
measurement {-^j}i<j<i6 and sends the result j as a 4-bit classical message to Bob. The state of 
Bob's EPR halves now becomes pij. On input i' and message j' , Bob performs the two-outcome 
measurement {Iliiji, Im — Ei/jf} on his EPR halves. Therefore in V, Bob outputs 1 with probability 
1 if i' = i and with probability at most 1/4 if i' ^ i. Thus, "P is a protocol for EQ„. 

Suppose there exists a protocol V' similar to V that starts with an input independent shared 
state \(J)')ab on m + m qubits. Suppose E{\(j))) < n/10. By Proposition 2, there is a bipartite pure 
state \(I)")ab on m + m qubits having Schmidt rank at most 2"'^ such that |||'/'')('^'| — |0")('^"llltr — 
1/20. Consider the protocol V" similar to V' starting with \(J)")ab as prior entanglement. Since 
V" is similar to V' , it is also a one-round protocol with 4 classical bits of communication. Let a^j 
be the state of Bob's share of prior entanglement qubits after the first round of communication 
from Alice when Alice's input is i and her message is j. Since the Schmidt rank of \(p") is at most 
2"''^, the CTjj, < i < 2" — 1, 1 < J < 16 have support in a 2"' ^-dimensional space. Let pij be 
the probability with which Alice sends message j when her input is i. It follows that for all i, 
'^j^iPj'^fMijaij ^| — ^ — ^ = ^- This implies that for all i there exists a j, 1 < j < 16, such 
that TrMijCTij > 13/20 > 9/16. From Lem. 5 this is not possible, and hence no such protocol V' 
exists. D 
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6 Exact Remote State Preparation 

Proof of Thm. 2: We start with the fohowing lemma which may be of independent interest. 

def 

Lemma 6. Let p = \(j)) {4'\ ^ Ti he a pure state and a ^ Tt be any positive definite matrix. Then 
the maximum value of k such that, a — kp > 0, is {{(p\a~^\(j)))^^ . 

Proof. First we show that, {(l)\a^^\(l))a—p > 0. Let \v) G 7i. Let \vji) = a^^'^\4>) and \w2) = a^''^\v). 
Now Cauchy-Schwartz inequahty impHes, 

{Wl\wi) {W2\W2) > \{WI\W2)\'^ 

=> {<P\a-'\<P){v\a\v) > Mv)\^ 

^{vMa-^\cl>)a\v)>{v\<P){<P\v) 

^ {v\{{cl>\a~'\cl>)a - \(l)){<P\)\v) >0 

Now since above is true for every \v) £ 7i we have that (</>|o"~^|(/>)o" — \(p){4'\ > 0. 

Next we show that if /c > {{(f)\(T~^\(/)))^^ then a — |<^)(<^| is not positive semi-definite. For this let 

\v) = a~^\(p), and in this case \wi) = \w2). Now since o" > and k > {{(j)\a~^\4>))~^ we have, 

{v\ik-'a - \cl>){mv) < {v\ma-'\cl>)a - |0)(0|)|^) 
= {<P\a-^\(l)){v\a\v)-Mv)\'' 

= {Wl\wi) {W2\W2) - \{wi\ui2)\'^ 

= 
Hence k^^a — |0)(0| is not positive semi-definite. D 

Let p = 1 0) (01, (T be some full rank state and let A; = ((01 0-^^10) )^^. Let p' = a—{(j)\a~^\(j)))~^p. 
Lem. 6 implies p' > 0. Let /C be a Hilbert space with dim{IC) = dim{7i). Let \9) G /C W be some 
purification of p' and |0) be a fixed vector in /C. We now define. 

We note that the marginal oi \tjj) p m. 7i is a. 

We have the following lemma due to Jozsa and Uhlmann [Joz94,Uhl76]. 

Lemma 7 (Local transition). Let p he a quantum state inTC. Let |0i) and |02) be two purification 
of p inlC^Ti. There is a local unitary transformation U acting on K, such that {U ®L)\(j)i) = |02). 

Now consider the following protocol V: 

1. Alice and Bob start with several copies of a fixed pure state \ip) such that marginal on Bob's 
side in \iIj) is a. 

2. On getting x, Alice transforms using a local unitary the first copy of \ip) to |V')pa;- This can be 
done using Lemma 7, since the marginal on Bob's side in both |i/^) and \ip)p^ is a. She then 
measures the first qubit. 

3. She keeps doing this to successive copies of \ip) until she gets the first 1 on measurement. She 
communicates to Bob the first occurrence of 1. 

From the definition of \ip)p^., we note that in the copy in which Alice gets 1, Bob ends up with 
Px. Also, (from concavity of the log function) it can be verified that, using a prefix- free encoding of 
integers that requires log n + 2 log log n bits to encode the integer n, the expected communication 
of Alice is bounded by \og{J'ca~^ px) + 21oglog(Trcj~^/9a:). Hence our theorem. D 
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Remarks: 

1. For any fixed state a of full rank, from the above proof, we get a protocol Va such that given the 
description of any pure state p to Alice, she ends up creating p with Bob with communication 
\og{Jra~^p). 

def 

2. We note that when px = \<l)x){4'x\ then from concavity of log function we have, S{px\\(y) = 
{(f)x\ log(T|(/)) < \og{(f)\a~^\(f)x) ■ Therefore the approach that we take here, which is analogous to 
the rejection sampling approach of [HJMR07], does not help us in getting the communication 
down to ^(pajlla") which happens in [HJMR07] for a similar problem in the classical setting. 

3. It is open as to whether the communication could be brought down to S{px\\(t)- Also the case 
when px is not necessarily a pure state is open. 

4. The inexact version of this problem was considered in [Jai06] where some fidelity loss in gen- 
erating Px was allowed. There using the substate theorem, the task was accomplished with 
communication S{px\\<7)/e at the end of which Bob got a state p'x which was e close in trace 
distance to px (not necessarily pure). 
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